Story image

GitHub security tool checks passwords against 517m breached credentials

06 Aug 18

Web development and coding platform GitHub has rolled out password and two-factor authentication revamps to make user accounts more secure – thanks to the popular password checking site HaveIBeenPwned.com.

GitHub’s new password security feature works by checking to see if a particular password has already been compromised in a breach.

Security expert Troy Hunt created HaveIBeenPwned.com, a website that allows people to see if their emails and passwords have been involved in a data breach.  Hunt also created a dataset of around 517 million compromised passwords and made these publicly available on the website.

GitHub used that dataset to create an internal version of the service, which means it can check if a user’s password has been found in any publicly available sets of breach data.

“People using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

GitHub has also improved its two-factor authentication methods. It will now ‘periodically’ remind users to review their two-factor authentication setups and recovery options.

Those recovery options include two-factor authentication codes; fallback numbers; account recovery tokens; and FIDO U2F keys.

“We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean,” GitHub adds.

GitHub users who haven’t set up two-factor authentication can access it by going to their account settings and clicking the ‘Security’ tab.

GitHub also recommends the following actions:

1. Update your password a long, unique value that is generated by a password manager. Consider a cloud-synchronised password manager.

2. Use two-factor authentication. Using a TOTP application is more secure than using SMS to deliver codes, but has a higher chance of irrecoverable loss leading to account lockout. Consider a cloud-synchronised application that supports securely backing up your two-factor credentials.

3. Ensure you have a method of recovering your account if you lose access to your two-factor device. Having a hardware U2F key is a secure option. Also, be sure to store your two-factor backup codes somewhere secure like a password manager or a secure physical location. Consider linking your account to Facebook via Recover Accounts Elsewhere.

4. Update your primary email address if necessary and determine if a backup email address is desirable. These settings will determine which email address(es) are allowed to perform a password reset.

5. Review other GitHub credentials. While we remove SSH keys, deploy keys, OAuth authorisations, and personal access tokens that have not been used in a year, it’s always a good idea to manually review them periodically. 6. Consider signing up for HaveIBeenPwned notifications. You do not need to provide a password.

GitHub says its new security improvements are designed to help users balance security, recoverability, and usability of their accounts.

AWS awarded protected level certification by the ACSC
“Cloud technology is in huge demand, and in line with that, the ACSC is also evolving its programs to continue lifting cybersecurity standards across the whole Australian economy."
Why the optical transport equipment market is on the rise
The cumulative spend on optical transport equipment during the next five years is projected to grow by 16%.
Tongan fibre-optic cable outage relieved by satellite
Recently Tonga suffered an outage in the submarine cable network that connects the island nation to the outside world.
IoT: Productivity boost or Pandora’s Box of security issues?
Organisations have begun using IoT to track assets, improve efficiency, boost customer service and gain greater insight into their operations.
Can you spot the phish? Google's quiz puts you to the test
The quiz may not be as clear-cut as you think - but that's exactly why you should do it.
FalconStor announces AWS integration
"While competitors provide narrower proprietary or niche solutions, FalconStor thinks differently about data storage."
2019 network predictions for service providers
There are a number of key events set to impact the IT industry this year – but 5G won’t be one of them.
Veeam expands cloud data management capabilities for IBM, AWS and Azure
The new capabilities supposedly deliver cost-effective data retention, easy cloud migration and data mobility.